Threat actors actively exploit a critical authentication bypass vulnerability impacting home routers with Arcadyan firmware to take them over and deploy Mirai botnet malicious payloads. Tracked as CVE-2021-20090 is a critical path traversal vulnerability (rated 9.9/10

Millions of routers likely exposed to attacks
Vulnerable devices include dozens of router models from multiple vendors and ISPs, including Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus. Reaching millions of devices likely affected

“This vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors, and that is touched on in a white paper Tenable has released”.

Attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China. Using malicious tools to deploy a Mirai botnet variant, similar to those used in a Mirai campaign targeting IoT and network security devices.

The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability.

Given that most people may not even be aware of the security risk and won’t be upgrading their device anytime soon, this attack tactic can be very successful, cheap and easy to carry out.